Connected medical devices are some of the most critical assets for hospitals today – and they are often the most vulnerable within their networks.
Unlike other critical IT assets, connected medical devices are typically not protected or visible to IT control or cyber security systems. In fact, most hospitals would be hard pressed to know how many medical devices are connected to their network, how they are connected, or what type they are.
Worse yet, many of these devices are exposed to significant cyber risk as they run unpatched software, use insecure communication protocols, and lack any real security controls.
That’s a very concerning reality for hospitals, particularly when patient safety and confidentiality is on the line.
Short of upgrading every single connected medical device in their network - a daunting task - what can hospitals do to help mitigate the risk of a breach to their network or connected medical devices?
Make surgical cuts
Look no further than micro-segmentation.
Micro-segmentation is a security technique that divides a network into smaller, isolated segments so that traffic between the segments can be monitored and controlled.
Security policy is applied and enforced down to the application level, without the need for passing through perimeter-based security, such as a firewall.
Implementing a micro-segmentation model allows you to restrict access to only trusted and legitimate services running on every asset or application in the network, reducing the attack surface and the chances of a successful breach.
So how exactly does micro-segmentation work?
Transfer data laterally
Virtualization technology has improved to the point where a traditional server can now host hundreds of applications. As a result of this increased capability, networked servers communicate with each other as traffic flows between the critical applications they host in what is called an “east-west” (or lateral) direction.
This is a shift from traditional network architectures, where traffic flows in a “north-south” direction as client-server communication passes through perimeter-based security.
Since “east-west” traffic does not flow through perimeter-based security, there is a requirement for each of the hosted applications to have their own security measures in place. By using a zero-trust approach, policies can be created to ensure that only trusted and verified data can pass between the applications, ensuring that they remain secure from a potential breach.
Of course, there’s a catch – while micro-segmentation is highly effective and resilient from a security perspective, it’s also very challenging to implement and execute properly.
How do you get it “right”?
“X-ray” your network
To implement a proper micro-segmentation solution in a hospital environment, you need to have visibility of the information flows to and from each of the devices on the network. Gaining insight into the services they are using and/or exposing is essential.
One major challenge with implementing micro-segmentation in a hospital environment is that medical devices are distributed on the network, outside of a data center. This makes getting visibility into “east-west” traffic much more difficult.
Additionally, you must have the ability to identify and classify all the devices connected to the network. Typically, networks are operating in a multi-vendor, multi-device type clinical environment, which complicates matters even more as communications protocols can be proprietary and obscure.
After baselining these, you’ll then need to configure specific security policies for the operational contexts and semantics so you can determine what to let in and what to block.
The benefits are significant, including a reduced attack surface, centralized policy management, and improved regulatory compliance.
It will take proper planning, discipline, and the right tools to accomplish an undertaking like micro-segmentation. The good news is more organizations are pushing for it, and there will be lessons learned and skills developed to ease the process.
Ultimately, the value of an improved security posture is hard to quantify. It not only brings efficiencies to your organization, but it further protects your most precious assets – your patients and your caregivers.